GDPR : Article 36 - Prior Consultation

by Avinash V


The GDPR introduces the concept of "prior consultation," an essential mechanism designed to enhance the protection of individuals' personal data in situations where data processing activities may pose high risks to data subjects' rights and freedoms. This article aims to explore the concept of prior consultation under the GDPR, its importance, scope, procedural aspects, and implications for organizations.

GDPR : Article 36 - Prior Consultation

Understanding Prior Consultation

Prior consultation, a key provision of the General Data Protection Regulation (GDPR), involves seeking guidance from supervisory authorities before engaging in high-risk data processing activities. This process ensures that potential risks to individuals' rights and freedoms are assessed and mitigated.

Organizations identify activities that pose significant risks, engage with supervisory authorities, provide detailed information, and receive feedback. This proactive approach enhances compliance, promotes transparency, and fosters responsible data management, ultimately upholding the GDPR's core principles of data protection and privacy.

Importance of Prior Consultation

Prior consultation under the General Data Protection Regulation (GDPR) holds pivotal importance in safeguarding data subjects' rights. It provides a proactive avenue for organizations to collaborate with supervisory authorities, seeking expert guidance on high-risk data processing activities. This process ensures thorough risk assessment and mitigation, fostering responsible data management.

By engaging in prior consultation, organizations demonstrate their commitment to data protection, transparency, and compliance with GDPR principles. This mechanism not only helps prevent potential data breaches but also upholds trust between organizations and individuals, thereby reinforcing the GDPR's overarching goal of safeguarding personal data and privacy.

Scope of Prior Consultation

The scope of prior consultation encompasses a range of data processing activities that are likely to result in high risks to individuals' rights and freedoms. These include, but are not limited to, instances where:

1. Profiling and Legal Effects: Prior consultation is warranted when systematic, extensive profiling is conducted, potentially leading to significant legal or similarly significant effects on individuals.

2. Large-Scale Processing of Sensitive Data: High-risk scenarios arise when sensitive personal data, such as health or biometric information, is processed on a large scale, requiring consultation to assess and mitigate associated risks.

3. Monitoring and Surveillance Activities: Prior consultation is essential for processing activities involving systematic monitoring of individuals, like employee surveillance, to address potential threats to data subjects' rights.

4. Innovative Technologies and Operations: Engaging supervisory authorities becomes necessary when novel technologies or innovative data processing methods are employed, especially if the processing could lead to high risks to data subjects.

In these contexts, prior consultation acts as a safeguard, ensuring that data controllers assess risks and implement necessary measures to comply with the GDPR's stringent data protection requirements.

GDPR Implementation Toolkit

Procedural Aspects of Prior Consultation

The process of prior consultation involves several key steps:

  • Identification of High-Risk Processing Activities: Data controllers must identify processing activities that meet the criteria for high risk under Article 36(1) of the GDPR.
  • Engaging the Supervisory Authority: The data controller initiates the prior consultation process by contacting the relevant supervisory authority. The consultation process should involve providing comprehensive information about the intended processing activities, associated risks, and proposed measures to mitigate those risks.
  • Supervisory Authority's Assessment: The supervisory authority evaluates the provided information to determine the potential risks and safeguards. They may provide recommendations, conditions, or approvals regarding the proposed processing activities.
  • Data Controller's Response: Based on the supervisory authority's feedback, the data controller may need to adjust their processing activities, implement additional safeguards, or address any concerns raised.
  • Final Decision: The supervisory authority provides a final decision, either approving the processing activities with specified conditions or rejecting them if the risks remain unacceptably high.

Implications for Organizations

Prior consultation has significant implications for organizations subject to the GDPR:

1. Compliance: Organizations must be aware of their obligations under the GDPR and proactively engage in the prior consultation process when undertaking high-risk data processing activities.

2. Risk Mitigation: By seeking guidance from supervisory authorities, organizations can enhance their risk management strategies and ensure that data processing activities align with legal requirements.

3. Transparency and Accountability: Engaging in prior consultation demonstrates an organization's commitment to transparency, accountability, and responsible data handling practices.

4. Avoiding Penalties: Organizations that fail to comply with the prior consultation requirement may face substantial fines and reputational damage.


The prior consultation mechanism under the GDPR plays a crucial role in ensuring the protection of individuals' personal data in high-risk processing activities. By involving supervisory authorities in the decision-making process, organizations can mitigate potential risks, enhance compliance, and uphold the fundamental principles of data protection and privacy.


GDPR Implementation Toolkit